If system policies do not meet your requirements, you can create custom policies to implement the principle of least privilege. Custom policies allow you to implement fine-grained control over permissions and improve resource access security. This topic describes custom policies for Intelligent Media Services (IMS) and provides sample custom policies.
Custom policy introduction
RAM policies are classified into system policies and custom policies. You can create, update, and delete custom policies. You must manage the versions of custom policies.
After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If a RAM policy is attached to a principal, you must detach the RAM policy from the principal before you can delete the RAM policy.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.
References
Common scenarios and examples of custom policies
This section describes only the parameters of the sample policy for granting the read-only permissions on some IMS resources. The parameters of other sample policies in this section are not described because the parameters are similar.
Grant the read-only permissions on some IMS resources
{ "Version": "1", "Statement": [ { "Action": [ "ice:GetMediaProducingJob", "ice:GetEditingProject", "ice:GetMediaInfo", "ice:ListMediaBasicInfos", "ice:SearchEditingProject" ], "Resource": "*", "Effect": "Allow", "Condition": { "IpAddress": { "acs:SourceIp": "192.168.0.1" } } } ] }Parameter description
Parameter
Required
Description
Version
Yes
The policy version. Set the value to 1 for IMS.
Statement
Yes
The statement. A single policy can contain multiple statements. Each statement contains the following elements: Action, Resource, Effect, and Condition.
Action
Yes
The action. Each action corresponds to an API operation. Specify the value in the
ice:API operation nameformat. Separate multiple actions with commas (,). You can specify multiple actions to configure a permission group. For more information about all available API operations, see List of operations by function.Resource
Yes
The IMS resources that can be accessed by authorized users. Asterisks (
*) can be used as wildcards. Specify the value in theacs:ice:<regionId>:<accountId>:*format. The Resource parameter can also have multiple values, which means multiple resources. TheregionIdfield is not supported. Set the regionId field to*. IMS does not classify resources. We recommend that you set the Resource parameter to an asterisk (*) oracs:ice:*:*:*if you want to grant permissions on media assets.Effect
Yes
Specifies whether a statement result is an explicit allow or an explicit deny. Valid values: Allow and Deny. The system checks the statements one by one for each request. If the value of the Effect parameter is
Allowin all matched statements, the request is allowed. If the value of the Effect parameter isDenyin one matched statement or no statements are matched, the request is denied.ImportantIf a policy includes an
Allowstatement and aDenystatement, theDenystatement takes precedence over the Allow statement.Condition
No
The access control conditions of the policy. For more information, see the "Condition" section of the Policy elements topic.
Grant the read-only permissions on all IMS resources
{ "Version": "1", "Statement": [ { "Action": [ "ice:Get*", "ice:List*", "ice:Search*", "ice:Describe*" ], "Resource": "acs:ice:*:*:*", "Effect": "Allow" } ] }Grant full permissions, including the write permissions, on IMS resources
{ "Statement": [ { "Effect": "Allow", "Action": "ice:*", "Resource": "acs:ice:*:*:*" } ], "Version": "1" }
References
Before you create custom policies, you must understand the permission control requirements of your business and learn about the authorization rules for IMS. For more information, see RAM authorization.